Unix Security

System & Network Security, HP-UX

This document shows system administrators how to better secure their UNIX systems. There are no guarantees of
its completeness. In addition, the author takes no responsibility if a person misuses this information. There are
many versions of Unix. This paper gives examples for HP-UX.

Often the subject of internal security is overlooked. However, often it is fairly easy for someone to get access
to systems they are not supposed to have access by simply walking up to a valid users desk. This can be the
cleaning staff or a disgruntled (ex)employee making a visit. This is the easiest type of security to implement and
should definitely be included in any security plan.

Console security

Machines and consoles need to be secure. A person can simply turn off a computer if one has access
to it. If they have access to the console, they can often interrupt the boot process to get access to the root
prompt. If this doesn't work, they can keep guessing the root password in hopes of compromising the system.

For these reasons (and more), the computers and associated consoles should be kept in a secure room. A limited
number of people should have access to this room, of course with a limited number of keys. Some places actually
have security guards let people into the computer rooms for guaranteed secure access.

If your data is sensitive, be certain to verify that there are no alternative methods for getting into the
room. This includes hidden spare keys in an unsecured place, gaps in the raised floors that go past the locked
access point, and space above the ceilings.

Data Security

Companies that value their data need a detailed backup recovery scheme. This includes on site
backups for least amount of down time, a copy of this data off site in case of computer room disasters, as well
as contingency plans in place. Unfortunately, an easy way to get access to a companies data is to gain access
to backup tapes and sensitive printouts. Hence, all sensitive information should be stored in locked cabinets.
Backup tapes sent off site should be in locked containers. Old sensitive printouts and tapes should be
destroyed.

To protect against computer damage from power outages (and spikes), be certain to have your computers on a UPS.
This provides consistent power, protects against outages, as well as protects the computer from power spikes.
Ideally, there should be a backup generator for production systems. For non-production systems, there should be
a automatic way to shutdown the computer if the power has switched to the UPS for more than 1/2 the time the
UPS is rated to supply.

To prevent snooping, secure network cables from exposure.

Users practice secure measures

Always have users lock their screen when away from their desk. It is best if they log off of their
terminal/workstation at night. There should be no written passwords or password hints on a users desk. If users
are using X, verify that they are using xauth/xhost to prevent others from reading their screen.

NO welcome banner on site

Court cases have shown that initial banners must NOT say "welcome".

Your banner should say something like: "Only authorized access allowed; violators will be prosecuted". In
addition, change /etc/issue NOT to include the machine type/OS revision.